ATutor 2.2.4 ‘Backup’ Remote Command Execution (CVE-2019-12170)

ATutor-Instructor-Backup-Exploit

ATutor 2.2.4 is vulnerable to arbitrary file uploads via the backup function that may result in remote command execution.

First login with the instructor account and select a course:

  • #1 http://[atutor address]/atutor/bounce.php?course=1

Then navigate to “Manage”

  • #2 http://[atutor address]/atutor/tools/index.php

Next select Backups/Upload

  • #3 http://[atutor address]/atutor/mods/_core/backups/upload.php

 

From here a specially crafted backup zip file i.e “pwned_backup.zip” can be uploaded that will result in remote command execution.

 

 

 

The PoC arbitrary file can be found at: http://[atutor address]/atutor/content/1/pwned/poc.PhP

or

C:\xampp\htdocs\ATutor\content\1\pwned\poc.PhP

 

Note: The “1” in the address will change based on the course number and the “content” directory may be different. However by default the installation calls for the dir name to be “content”. This has been tested on both linux/windows installations.

Author: McPeters Joseph

Joseph McPeters is a Security Researcher. He specializes in network and web application penetration testing. Contact: admin@incidentsecurity.com

Leave a Reply

Your email address will not be published. Required fields are marked *